Over the past several years, ZeroFOX has identified and remediated tens of thousands of social engineering profiles and fake accounts impersonating our customers. These accounts spoof a company’s brand or executive persona, hijack their logo, messaging and exec or product photos, and try to mimic the authentic account in order to attack employees and defraud customers.

In this white paper, ZeroFOX analyzes nearly 40,000 identified impersonator profiles to uncover trends over time and the commonly observed TTPs (Tactics, Techniques, and Procedures) and payloads. We analyze nearly 1000 of them in depth, often engaging with the cyber criminal to understand their intentions and methodologies. Ultimately, we try to answer the question: what are all these fraudulent profiles doing?

Highlights of findings:

Number of impersonators increased 11x from December 2014 to December 2016

Verified account impersonators are systemic across the networks, and were found on Facebook, Twitter, and Instagram; while also using YouTube to promote them.

Nearly half of all nefarious social media impersonators disguise their payload as a fake coupon or giveaway using the brand to attract promotions seekers.

Over ⅓ of all nefarious social media impersonators send their target to a phishing page to steal social media account credentials, credit cards, and personal information.

Impersonators regularly wipe accounts and leave them dormant to avoid detection between attack campaigns and later weaponize them in new ways.